680498 - Incomplete fix to bug 665934 (return value of GrowAtomTable not checked)

Status: RESOLVED DUPLICATE of bug 680840

(Core :: Graphics: CanvasWebGL, defect)

Description

[Brandon Sterne (:bsterne)]

Hi,

We reported to you bug number 665934 regarding a memory corruption security issue.  We see that you have released a fix, however after reviewing the fix it doesn’t resolve the issue.

Our researcher that review the case made the following comment:

The report I made actually consisted on two separate bugs in the ‘atom.c’ file, the first one was fixed in FF6 and ANGLE but it doesn’t look like the other one has been. Is this being handled in another bug entry? The bug I refer to is the one where no one checks the return value of GrowAtomTable to ensure it succeeds, by doing a memory exhaustion attack it is possible to not grow the tables, yet the code will write into the buffers as if they had been leading to memory corruption. This is what the original PoC I sent should exploit, however it doesn’t seem to work on FF6 due I think to another bug you fixed, you cannot seem to get a large enough shader program to be compiled anymore. Still the bug is there in the code base.

Cheers,

Michael Jordon

Comment 1

[Daniel Veditz [:dveditz]]

I independently discovered the incomplete fix while investigating someone else's bug that got fixed by the partial patch in bug 665934 (missed this one because it wasn't linked to the original bug in the dependency chain). I'm going to dupe this forward since the other bug goes into slightly more detail (which apparently the developers need) and already has both Mozilla and transgaming (ANGLE devs) folks CCd.